onapsis webcasttopnotes final

8/10/2019 Onapsis Webcasttopnotes Final

1/17

CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved04/11/2014

1

Title goes here

Alex HoranProduct Manager

A Guide to Understanding the MostImpactful SAP Security Notes of 2014


2/17

CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved

Introductions Purpose of Webcast

CVSS Explained Security Note Release Review Conclusion

Agenda


3/17


OnapsisCompany focused on the security of ERP systems and business-critical infrastructure

(SAP, Siebel, Oracle E-Business SuiteTM, PeopleSoft, JD Edwards ).

Working with large Global and Government organizations.

What does Onapsis do? Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).

ERP security consulting services.

Trainings on business-critical infrastructure security.

Alex HoranProduct ManagerSecurity Presenter

3

Introductions


4/17


Raising SAP Security Note awareness SAP Security Note Schedule Security Note analysis Security Note best practices

4

Purpose of Webcast


5/17


http://www.first.org/cvss Common Vulnerability Scoring System (CVSS) is avulnerability scoring system designed to provide anopen and standardized method for rating IT

vulnerabilities. CVSS helps organizations prioritizeand coordinate a joint response to securityvulnerabilities by communicating the base, temporaland environmental properties of a vulnerability

5

CVSS
http://www.first.org/cvsshttp://www.first.org/cvsshttp://www.first.org/cvss


6/17


34 Security Notes Released Five older security notes were updated due to new

security issueso 1687668, 1425123, 1675484, 1744747 and 1903266

6

January

Highlight Note Details

Number 1922547

Title Missing authentication check in NW EP iView Wizard

CVSS 6.4 (AV:N/AC:L/AU:N/C:P/I:P/A:N)

Details The NW Portal new iview wizard component does not contain authentication checks for checking user's access to some of its functions.


7/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved

33 Security Notes Released (67 YTD) Ten notes addressed hardcoded credentials

o 1914777, 1915873, 1920323, 1738965, 1795463, 1768049, 1911174, 1791081, 1789569

1905408 had a CVSS of 8.3 (AV:N/AC:M/AU:N/C:P/I:P/A:C) 1846438 has a CVSS of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

7

February


Number 1963100

Title Disabling execution of operating system commands using a CTC URL

CVSS 9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)

Details The CTC application contains vulnerability where any operating system command can be executed on an AS Java host using NWAcredentials through a URL invocation. Typically, this requires authentication using NWA credentials. If you have not already implemented

SAP security note 1445998, then this can be done without authentication using NWA credentials.



9 Security Notes Released (76 YTD) First HANA vulnerabilities reported by third party

8

March


Number 1965610

Title Code injection vulnerability in external commands

CVSS 7.5 (AV:N/AC:M/AU:S/C:P/I:P/A:C)

Details The program code contains a possibility to define and execute operating system commands that changes the behavior of the system. Avalid and authenticated user is required.Depending on the command, the user can:

inject and run their own code, obtain additional information that should not be displayed,

modify data delete data, modify the output of the system, create new users with higher privileges, perform a denial-of-service attack.


9/17



17 Security Notes Released (116 YTD) 3 Notes released related to the Heartbleed vulnerability

10

May


Number 2015882

Title Apache Struts 2 Vulnerability in SAP Online Banking

CVSS Not reported by SAP NVD reported: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0112

Details The excluded parameter pattern introduced in Apache Struts version 2.3.16.1 to block access to getClass() method wasn't sufficient. It ispossible to omit that with specially craf ted requests.

According to NVD: ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass m ethod, whichallows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability existsbecause of an incomplete fix for CVE-2014- 0094.



21 Security Notes Released (137 YTD) 8 Notes with CVSS of 5.0 or higher

11

June


Number 2007530

Title Invalid User Authentication in Unix SAP Content Server

CVSS 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)

Details BC-SRV-KPR-CS does not perform authentication checks when the shadow passwords are enabled. This may result in undesired systembehavior.



14 Security Notes Released (151 YTD) Vulnerability patched in Afaria server

12

July


Number 2036562

Title Potential modification of persisted data in Afaria Server

CVSS 8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C)

Details The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered byan attacker. The manipulated SQL statement can then be used to modify information in the database.



37 Security Notes Released (188 YTD) 3 Notes over 8.0

13

August


Number 2053074Title Potential modification of persisted data in Afaria Server

CVSS 8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C)

Details The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered byan attacker. The manipulated SQL statement can then be used to modify information in the database.



29 Security Notes Released (217 YTD) Note published for SAP ONE CLOUD solution

14

September


Number 1979454Title Missing authorization check in Batch Input Recorder

CVSS 6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)

Details Batch Input Recorder does not contain authorization checks for checking an authenticated users authorization to access some of itsfunctions. This may result in undesired system behavior.



34 Security Notes Released (251 YTD) Hot News item delivered

15

October


Number 2043404

Title Code injection vulnerability in CRM-ISA

CVSS 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) (originally released as a 7.5 updated by Note 2085139 on 28.10.2014

Details Batch Input Recorder does not contain authorization checks for checking an authenticated users authorization to access some of its functions.The program code contains a possibility to define and execute user-defined code that changes the behavior of the system. A valid andauthenticated user is not required. Depending on the code, the user can: inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges,

perform a denial of service attack.



Create a process to review new notes Have a procedure to monitor old notes for

changes Understand the risk the notes mean for you Reduce the risk to an acceptable level Monitor for changes to risk Once the above is defined, automate.

16

Conclusion

onapsis webcasttopnotes final

Documents